I have seen the same LFI and code injection attacks discussed here and today yet more PHP attacks. This time, an attempt to exploit phpthumb via CVE-2010-1598.
Full details along with IPs seen are at: http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html
Anyone else see a big uptick in this activity today?

While reviewing today's web honeypot logs, SpiderLabs Research identified two new attack variations. Focus on Local File Inclusion attacks Here are some of the LFI attack payloads identified today: GET /_functions.php?prefix=../../../../../../../proc/self/environ%00 HTTP/1.1 GET /ashnews.php?pat...

Ryan,
You are correct. This issue is apparently related to the awstats issue we discussed last week, along with some additional information regarding code injection against phpAlbum:
http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html

@Ryan -- agree completely. There are also some older PHP versions running around out there and at least one of the IPs was/is running Joomla. Lots of other ways to attack other than Apache, but Apache seems to be a pretty common link. Of course, that's to be expected...

Issue Detected Our daily web honeypot analysis has detected an increase in scanning looking for command injection flaws in the Awstats package. Here are example attacks from the logs: GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0 GET /awstats/awstats....

Issue Detected Our daily web honeypot analysis has detected an increase in scanning looking for command injection flaws in the Awstats package. Here are example attacks from the logs: GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0 GET /awstats/awstats....